Two pros weigh in: Should the DPO be a lawyer? Perhaps an auditor?

Thomas Shaw, CIPP/E, CIPP/US IAPP Member Contributor

In January, Thomas Shaw wrote an article for The Privacy Advisor on the essential job skills of data protection officers under the General Data Protection Regulation. Having read it, Emma Butler responded online with her views, and, after some back-and-forth, the two decided to write an article together highlighting the many areas they agreed upon and further analyzing where their perspectives and insights differed.

Shaw is a privacy and technology lawyer who has worked across disciplines around the world, while Butler was a long-time member of the U.K. Information Commissioner’s Office and is a current DPO. Both are based in the EU.

Editor's note: Emma Butler was the featured guest on the IAPP Web conference series, "Ask the DPO," on April 4. The program, available as a recording for new registrants, is free to IAPP members.

Thomas Shaw: On DPO job skills

In my previous article on the essential job skills of data protection officers (DPOs) under the GDPR, I discussed those job skills that DPOs must have as prescribed by the actual language of the GDPR. Then based on my experience, I described the type of professional expertise best suited to fulfill that GDPR requirement. To a large extent, I was writing my own CV, knowing how each of these skillsets would bring value to the DPO role. I believe a single skilled resource should be the starting position for organizations. If such a resource cannot be found, then the DPO candidate must be supplemented with members of the DPO team who have the skills the DPO may lack.

The GDPR requirements for the DPO’s skills, qualities, and tasks include:

risk assessments, countermeasures, and data protection impact assessments;
expert knowledge of data protection law and practices;
performing duties and tasks in an independent manner;
not receiving any instructions regarding the exercise of those tasks;
performing other tasks, only if these do not result in a conflict of interests;
handling data subject requests;
marshaling resources and leading people and projects;
maintaining his or her expert knowledge;
being bound by secrecy or confidentiality;
directly reporting to the controller/processor’s highest management level, and
cooperating with and acting as the contact point for the supervisory authority.

Professions matching DPO job skills

The two professions best suited to carry out the role of the DPO are experienced privacy- and technology-focused lawyers and IS auditors licensed as certified public accountants or chartered accountants. A privacy- and technology-focused lawyer is a licensed professional with hands-on experience with IT programming and operations, IS auditing, and privacy certifications/seals and information-security standards, in addition to experience with varied privacy and information security laws, policies, and provisions. IS auditors would have experience with various types of attestation audits, including privacy and security. Both should have the appropriate professional privacy- and information-security certifications.

Both types of professionals should be able to carry out the following aspects of the DPO role equally well: reporting directly to the highest management level of the controller/processor; exercising the tasks of the DPO without receiving instructions; working in an independent manner, and being sensitive to not creating any conflicts of interest. Licensure rules for the regulated professions of lawyer and public/chartered accountant both require continuing competence, maintaining integrity, avoiding conflicts of interests, taking sufficient continuing education to maintain his or her expert knowledge, and being bound by rules of professional secrecy and confidentiality. Although lawyers tend to have a broader code of ethics to comply with, lack of compliance with their respective ethical rules by those in either profession could lead to loss of their ability to practice publicly.

The two professions best suited to carry out the role of the DPO are experienced privacy- and technology-focused lawyers and IS auditors licensed as certified public accountants or chartered accountants. — Shaw

Both professions need to have significant negotiation skills, although given their typical roles, the lawyer will likely have deeper negotiation experience. Both should have knowledge of risk assessments, countermeasures (including those implemented in software by programmers and in IT infrastructure), and data protection impact statements, although auditors will likely have more in-depth risk-mitigation experience. Both may have understandings of privacy by design and default, but the auditor may have more in-depth knowledge through assessing control design. Both should be able to marshal and lead resources, teams, and projects and handle data-subject requests without difficulty, handle internal and external relationships, communicate effectively with all parties, educate controller/processor personnel and data subjects, and raise data protection awareness.

What tips the balance between the two is the requirement to have expert knowledge of data protection law and practices, which is something to be expected from the lawyer but not from the auditor. This requirement is more complicated than it appears, as it involves not only the GDPR but other EU law such as the ePrivacy Directive (or its successor) and relevant cases, and also likely, given the global interplay of organizations, the data protection and other relevant laws as well as cases of many jurisdictions, and the necessary conflict-of-laws analyses to determine which laws prevail. In an independent role, a DPO providing legal advice and analysis who is not a licensed lawyer may also become involved in the unauthorized practice of law. If they instead use the organization’s corporate counsel to perform the legal analyses, the DPO may no longer be viewed as independent.

Therefore, my opinion is that the best professional to fill the role of DPO under the GDPR is an experienced privacy- and technology-focused lawyer. The privacy and technology focus of this lawyer is essential, as these would not be typical skills of the average lawyer. There are other qualities of a lawyer that also weigh in their favor as the best profession to fill the DPO role, including the use of legal privilege in certain cases when the controller or processor is subject to litigation or other adverse actions and possibly in their role as a witness or expert in legal cases. The second-choice professional to fill the DPO role should be an experienced and licensed (CPA/CA) IS auditor, one who has significant experience in leading various types of audit engagements. For either choice, the DPO team should have a member that complements the DPO, such as an experienced IS auditor, when a privacy- and technology-focused lawyer is the DPO.

Beyond those two professions, it gets more complicated for organizations trying to fill the DPO role with other types of professionals, multiple people, and/or with a combination of internal, hired, and outsourced resources. As a rule, in these types of situations, organizations must stick hard and fast to the following two rules. First, they must not utilize anyone in the DPO role who could create a conflict of interest. For example, as a recent case in Germany demonstrated, the role of IT manager is inappropriate for the role of DPO under current German law, given the required independence of the DPO from IT operations. Second, any resource filling the DPO role must have sufficient legal and technical skills to carry out an independent assessment of the organization’s data protection practices without relying primarily upon the judgment of the organization’s staff.

DPO hiring errors

I continue to review DPO job postings here in the EU and am regularly frustrated by some organizations’ understanding of the requirements for DPOs under the GDPR. The most common errors are looking for DPOs with too little experience (a few years is a common requirement), insufficiently broad job experience (focusing on only one of several needed disciplines), and lack of independence, with DPOs reporting into IT, legal or compliance organizations instead of the board as the GDPR requires.

Another error is that organizations assume that their current DPO or similar should be their DPO under the GDPR. That may certainly be valid, but it would be a useful exercise to vet the existing DPO against the job skills discussed above. When discussing the role of the DPO under the GDPR, examples are often cited based upon current experiences under existing legislation, primarily national enactments of the Data Protection Directive. I believe, while instructive and possibly the best historical examples that we have in the region, the DPO role under the new GDPR legislation is a somewhat different role, one that may require consideration of what is now required and intended before organizations which already have a DPO automatically slot that person into the DPO role under the new law.

Another common misconception, which an army of vendors are perpetuating including unfortunately the IAPP itself, is that you can create a DPO merely with training and certifications without basing it first upon a broad foundation of existing diverse skills gained through years of experience. There is some belief that one can make a DPO out of an inexperienced resource. That is just not accurate. What can be accomplished is for an organization to train an existing experienced resource, with many of the professional skills and responsibilities discussed above, in the specifics of the GDPR and hopefully deploy that resource in time into the role of DPO. While using an inexperienced resource can be viewed as the way forward for cost or resource-constrained organizations, they may be making a choice between full compliance with the GDPR and their other business objectives. Given the significant penalty regime of the GDPR, organizations should consider the need to staff the DPO role appropriately from the start to achieve their short and long-term goals.

A response: by Emma Butler

There is a lot of attention at the moment on the role of the DPO under GDPR and what skills and qualities are needed. Here is my take on what your DPO should have and what’s nice to have.

Role

Data protection law is a framework for handling personal information fairly and responsibly, and it therefore touches most, if not all, parts of a business. Equally, those responsible for data protection compliance in a business will find that their role touches most if not all parts of the business. Whether you are a lone DPO, part of a team or head of a privacy office, the role requires a wide variety of tasks, skills and experience that cannot actually be fulfilled in its entirety by one person. The key point about a DPO role is that you need to be able to work together with all departments in a business to be successful.

Skills and knowledge

The DPO is the role responsible for thinking about compliance, considering the individual as well as the business, explaining requirements, and bringing together the right people to get the job done. So, leadership, being able to see the big picture and project management skills are particularly relevant.

A DPO needs to know not just what the law says, but what it means, and how it applies to the business in question and its activities. I do not believe that only a lawyer can have this knowledge and these skills, and I strongly believe that you don't have to be a lawyer to understand a piece of law. Almost all of the staff of the ICO do not have legal qualifications, and there are many examples of successful DPOs and CPOs who are not lawyers. What is actually more difficult is to apply the law in practice, and to be able to come up with creative solutions so the business achieves their aims and you achieve your privacy compliance. This is not a skill exclusive to those with legal qualifications.

A DPO needs to know not just what the law says, but what it means, and how it applies to the business in question and its activities. I do not believe that only a lawyer can have this knowledge and these skills, and I strongly believe that you don't have to be a lawyer to understand a piece of law. — Emma Butler

A successful DPO uses the law, regulator guidance, case law, good practice gleaned from peers and cases where it went wrong, and their own experience for all the above to advise their business appropriately. A clever DPO builds on and uses the expertise available across the business from the other functions; crucial to getting buy-in and support.

Communication skills are key: you have to be able to communicate the above to the different parts of the business in a language and format they understand. You’re aiming to get data protection embedded into the policies, processes and culture of the organization to be business as usual. That’s the end game of the GDPR accountability principle.

It is no longer just about lawyers vs. non-lawyers. A whole plethora of qualifications has sprung up as people see the money to be made out of GDPR. — Butler

There is no such thing as too much knowledge or too many skills, so it’s a bonus if a DPO has skills and knowledge of any of the functions they commonly work with, such as HR, legal marketing, IT, audit, risk management, procurement, product development, sales, and so on. It is becoming increasingly important to understand new technology and more and more businesses are certifying to ISO 27001, so a DPO who gets information-security controls and who can get to grips with things like algorithms, deep learning, encryption and similar is at an advantage.

Experience

The experience you need depends on the scope and level of privacy role. Some of the staff you need to carry out some of the GDPR DPO role/tasks could be at a more junior level. It is likely that the person you need to lead the GDPR compliance work and to be the key DPO contact for you will need to be a senior role. Regardless of level, experience in a sector is an advantage, even if it was in a different role. Equally, the skill mentioned above of applying the requirements to the current business scenario means DPOs are not limited to always working in the same sector, and cross-sector expertise is also helpful, as you can bring new thinking to the table.

Qualifications

It is no longer just about lawyers vs. non-lawyers. A whole plethora of qualifications has sprung up as people see the money to be made out of GDPR. Those looking to hire DPOs and/or GDPR leads need to be careful not to be dazzled by qualifications, but to make sure they write a job description based on what they actually need, and hire the right person for the role and the business. I am not saying qualifications are not important, but they are many and varied and not all may be appropriate for what you need. Qualifications in other areas, such as people management, conflict resolution, law or project management can though be helpful, again, depending on what you need.

The privacy profession is young compared to other industries and is developing at a fast pace. It has some great qualities compared to other professions, most notably that there are equal numbers of men and women in the role and in senior positions, and that privacy professionals come from all walks of life, and bring so much rich experience to the table. That can only be a good thing to develop the profession.

The GDPR DPO role should lead to a wealth of opportunities in larger companies for aspiring privacy professionals to join compliance teams and gain and bring valuable experience. And that can only be a good thing for us all.

In my view, the absolute must-have is someone who understands what the law says, what it means, and how to apply to it the business in question, plus who has the relationship and communication skills to become a trusted advisor to the business, known to all its functions, and seen as a key ally to help get the job done, avoid compliance headaches, and embed data protection to be business as usual.

A further response: by Thomas Shaw

The first time I read Emma's response was after it had been published, and so I am able to respond to it only now, post-publication. I have a number of concerns with the response but due to time and space constraints, I will describe only a few here.

One concern involves the flaw of conflating the role of the Chief Privacy Officer (CPO) with that of Data Protection Officer (DPO) under the GDPR. The role of a CPO could well be described by what was written in the response. But the new role of DPO is different. The DPO as specified by the GDPR must maintain independence and avoid conflicts of interest, in addition to acting as the point of contract, cooperation, and consultation with the DPAs. As the Article 29 DP Working Party stated in its December 2016 Guidelines on Data Protection Officers (‘DPOs’), “the DPO’s primary concern should be enabling compliance with the GDPR.” It then stated that “chief privacy officers ('CPO's) or other privacy professionals already in place today in some companies, who may not always meet the GDPR criteria, for instance, in terms of available resources or guarantees for independence, and therefore, cannot be considered and referred to as DPOs.”

Although my article clearly does not say that the DPO must be a lawyer, having such a professional will help address a second concern in the response. The DPO is required by the GDPR to have “expert knowledge of data protection law.” The Article 29 DP Working Party in its December 2016 Guidelines stated that DPOs “must not be instructed to take a certain view of an issue related to data protection law, for example, a particular interpretation of the law.” The DPO will be independently providing legal advice on data protection law to the controller or processor as part of his/her tasks. If the DPO is not a lawyer, then this could involve them in the unauthorized practice of law. Although a complex area of law not easily summarized, it appears that a majority of EU member states and a significant number of non-EU states including the United States of America consider the provision of legal advice for compensation to be a “reserved” activity that can legally only be done by licensed legal practitioners. Those in jurisdictions like England with its more limited number of legal activities reserved only for licensed lawyers may not understand these legal restrictions of other countries.

Another concern with the response is that it seems to consider a more simplified legal compliance situation, not the more complex (and perhaps typical) situations where the required expertise in data protection law includes the need to understand and coalesce a large number of differing laws, regulations, guidance, and legal cases from different countries, including privacy and information security laws, data breach and cybercrime laws, consumer protection laws, labor and employment laws, etc., and possibly apply conflict of law and procedural rules. Could this complicated legal work be done without a lawyer in the DPO team? It may be but would it be appropriate for an organization to undertake that risk?

In summary, my article has suggested that privacy lawyers or licensed IS auditors would be the best professions to fill the role of DPO as specified under the GDPR. They are not the only professions who can fulfill the DPO role under the GDPR, just the best-qualified based on their varied skills as I previously explained and should be the starting point for organizations searching for a new DPO, within resource availability and financial constraints. If not designated as the DPO, these professions should at a minimum both be present as members within the DPO team, to best ensure compliance with the GDPR.

photo credit: Garen M. Two Cents via photopin (license)

From the editor:

Due to a miscommunication, a small portion of this article originally went to press without Thomas Shaw having seen Emma Butler’s response. For that reason, we have amended this piece with a further response from Shaw at the finish so that he might consider her points and reply.

Authors

Emma Butler, FIP Nonmember Contributor

Thomas Shaw, CIPP/E, CIPP/US IAPP Member Contributor

15 Comments

If you want to comment on this post, you need to login.

James Keese • Mar 28, 2017

In an article regarding the CPO position (which also could be DPO) posted on my LinkedIn page in Sept. 2015, it supports Emma position, extracts include:

So, what skills and experience should your next CPO have under their “belt”? To answer this question you may need a crystal ball. If you don’t have one or yours has been wrong in the past, here are a few thoughts:
 Leader – ability to motivate, mentor, develop and guide staff, employees and vendors;
 Technologist – understand systems, databases, networking, cloud computing, access, and audit controls. Not at the “geek” level, but enough to validate what IT is recommending;
 Advocate – able to battle for the privacy rights of the consumer, customer, client or employee;
 Partner – business savvy, ability to work with legal, compliance, marketing, info sec, human resources (to name a few) departments and provide risk based solutions and alternatives;
 Politician – must be able sell the program internally and externally;
 Strategist – capable of understanding the business vision and translating the privacy
requirements to enable the use of personal data in order to enable the vision;
 Accountable – for regulatory compliance, data use, data breaches, business and financial risks; and
 Lawful – work with the legal department to secure guidance, overlay the guidance onto the operational practices and report to regulators on the level of compliance.

With increasing oversight and scrutiny by customers, clients and increasing expansion of regulations, the privacy office will be tasked with measuring, reporting, managing and selling the organization’s compliance level to regulators, the board, executive committee and media.

With this said, finding the perfect lawyer, operations, technologist or compliance candidate is a complex task. Any experienced individual in the privacy field would be the first to advise finding a CPO who can master all of these concepts would be like finding a needle in the haystack.

René Volwerk • Mar 29, 2017

This article brings us 2 different viewpoints on the manner in which  the position of a DPO can be filled. Is it a tech-savvy lawyer or a legal-savvy auditor? In my experience a tech-savvy lawyer is almost a contradiction in terms. Most lawyers I've met in  privacy cases in the Netherlands  have limited  IT knowledge.  There are exceptions but law and IT are not a natural knowledge set. Up to date knowledge on security matters is even more scarce. This doesn't have to hinder a DPO from performing his or her duties in my opinion. The DPO must have a working knowledge of privacy law, IT and security but the 80/20 rule does apply. The highly specialized cases outside of the working knowledge can be handled through access to and cooperation with independent specialists. It is impossible to keep up with all developments these days  due to the rapid development of IT and security. So consulting with specialists will be a necessity for any DPO. This will invariably include legal matters as well. The knowledge aspect of the DPO is important, but the most important aspect will be the ability to get Data Protection on the agenda and organized to a level required by the GDPR. This requires mainly competences and skills and much less knowledge

Toby Stevens • Mar 29, 2017

Well done to Emma on calling this canard for what it is. I wonder if IAPP as a professional body is aware of just how much damage this particular view is doing to its standing? Mr Shaw’s viewpoint is that I’m not qualified to be a DPO. I’m not a lawyer, my degree is in computer systems engineering, followed by 10 years in information security, and then 15 years in privacy, during which time I’ve worked for startups and FTSE100 companies, central and local government, charities and institutions. I’ve given evidence in Parliament, argued with cabinet ministers, spoken at conferences, written papers, appeared on TV, sat on the IAPP’s European Advisory Board and scooped up a couple of professional fellowships. But his divisive and demeaning start point is that I’m not fit to be a DPO. Regardless of who is right or wrong here, by giving platform to a debate that starts with “only a lawyer can be a DPO” is offensive to a large number of current, potential and former members, and it is a debate which will only disenfranchise a big chunk of IAPP’s audience.

What’s missing from this debate is some recognition of what most organisations need _right_now_ as they prepare for the GDPR. I’m not talking about the major corporates who already have internal counsel and privacy functions that need to be tweaked for GDPR compliance. I’m talking about the vast majority of companies, including plenty of FTSE100 sized entities, who are having to start with an entirely informal data protection function today with no actual DPO, and get that up to speed as a GDPR-compliant delivery within the next 14 months. If they hire a lawyer to lead their delivery, they’re dead in the water before they begin: no matter how good or experienced, that lawyer will have no working knowledge of how to get a major business transformation project off the ground in the company in time for enforcement. They won’t have the relationships they need to ease the way of complex delivery, they won’t understand the internal red tape, they won’t have the trust of the senior executives. Most importantly, they won’t know how to lay their hands on the internal budgets, and we shouldn’t kid ourselves that we’re the most important game in town: no matter how important GDPR is, we still have to compete with security and PCI and SOX and every other call on the business to fund projects, cut costs, boost profits. In short, a GDPR delivery manager who doesn’t know the business is doomed to failure, whether or not they’re a lawyer.

So I’d like to offer a third way: as we move towards GDPR, I’d argue that for companies which are effectively a green field site for data protection (no permanent function, low maturity of data protection practices), the best option is to find someone from within to lead the work, and get them qualified as a DPO as they go. Yes, they’ll need to be able to draw on legal advice, but they’ll have the knowledge of the organisation, the relationships with colleagues and senior management, the political nous, and the insights into what really needs to be done. They’ll stand a much better chance of delivering the necessary outcome than a fresh-faced lawyer, and they’ll probably be much cheaper into the bargain. What’s not to like about a non-lawyer as DPO?

Stuart Ritchie • Mar 29, 2017

Good discussion, and I commend both Thomas and Emma for getting together on this critically important topic.

I start from the basics, in this instance the law. The DPO is statutory. So our starting point is the statutory criteria: expertise, professionalism, and abilities (plus conflicts/independence). All are distinct; and all are necessary to avoid automatic breach by the controller (though DPO appointment breach attracts only half the fine).

Overall I incline toward the position of Thomas rather than Emma. This is because he, correctly in my view, focuses on professional qualities, and correctly identifies that as deriving from professional status. That also takes care of the independence issue. (though I'm uncertain as to why Thomas talks about the danger of the DPO consulting internal Counsel when the DPO can simply hide behind Article 36, which is tailor-made for this situation)

As for expert knowledge of data protection law (and practices), I'm mid-way between Thomas and Emma. You don't have to be a lawyer to have such expertise - a masters degree in data protection-related law will be sufficient (ironically this is precisely what I did before studying basic law). Why a LLM? Because DPOs will be called to give evidence in Court. In my view, based on Court experience, a LLM is the absolute minimum level of expertise required for both basic credibility and surviving cross-examination as an expert in (foreign) law - without which the plaintiff automatically wins any GDPR case anyway by knockout in the first round, as it were. Of course I accept that in the next year or two we'll just have to put up with literally amateur certifications such as CIPP/E and (to be fair!) my own courses.

I explore both those issues in my submission to WP29 January 31, 2017, copied to https://www.gdpr360.com/gdpr-right-to-portability-submission-to-article-29-working-party-stuart-ritchie. For those interested in abilities, I also set out a shopping list headed by what I regard as the six essentials, including mediation (which I notice has not been discussed herein).

James makes some interesting points about the CPO. The difficulty is the DPO is a statutory office, while the CPO is not, so his piece goes only to abilities to perform the statutory tasks where they overlap with the ordinary tasks of a CPO.

René says "Most lawyers I've met in privacy cases in the Netherlands have limited IT knowledge". I concur in respect of most English and European lawyers I have met, with the exception of those who sell their soul to the dark side and become patent attorneys or IP specialists. And yet an astonishing number of US lawyers come from a first career in IT or other technical area, as did I in my own native country. I know that some US lawyers already have crossed the Atlantic to cross-train in EU law with the intent of becoming European DPOs. I suspect many more may do so over the next few years, and would encourage it to relieve the expertise lag. There is a certain elegant irony in this!

Andy Bloom • Mar 29, 2017

As a non-lawyer CPO at a global organization, its difficult to not have a visceral reaction to Mr. Shaw's comments. That said, the big flaw in his entire argument is that he ignores the fact the privacy is a profession. While many of us may have come from other professions, and may still have one foot in those professions (e.g., I still hold my CISSP), we are privacy professionals now. I think we can all agree that the DPO should be filled by a privacy professional.

Jose Alvarenga • Mar 31, 2017

Totally agree with Emma Butler. 
“The key point about a DPO role is that you need to be able to work together with all departments in a business to be successful”.
In my view, the absolute must-have is someone who have the management know-how and the experience to put a team together and lead an organization to Data Protection compliance.

Roger Edwards • Mar 31, 2017

A couple of simplifications may lead to misleading conclusions:  First the implication that anyone can read the text of a law and understand it fails to acknowledge that understanding the GDPR is much more about understanding  the complicated interplay between multiple provisions even before assessing derivations. Secondly with respect to the seniority of the person, having had to present to a room of skeptical technology executives to convince them to divert revenue-producing personnel to privacy compliance activities (don't expect the welcome mat) there is significant benefit to making sure the DPO has sufficient business experience and credibility to "move the company" by persuasion rather than having to constantly invoke the terror of sanctions.  Anyone certified as "expert" can be appointed, but if they are not effective in the role how do they really lower the company's risk exposure?

Lyn Boxall • Apr 1, 2017

I'm a lawyer, but I agree with Emma more than I agree with Thomas. This is because I've come across too many lawyers who don't know what they don't know about this area of practice ... and don't want to find out. And they're particularly clueless on the IT side of things while taking the attitude that it's someone else's problem. I appreciate Thomas's comments about seniority and the need for experience, that training is not enough. But I doubt that there's a great deal of choice because the demand for DPOs will surely be well in excess of the number of people with a high level of experience.

Experience in running a privacy programme is not necessarily a good thing. I'm working in Singapore, where we've had a DPO requirement for nearly three years. Many of the larger financial institutions and other companies hired experienced privacy professionals from Europe. It wasn't necessarily a good move from the perspective of the individual and/or the organisation. Operating an established privacy programme where there has been 20 years to work out the wrinkles is entirely different to devising and implementing a new privacy programme.

Change, people and project management, communication skills and various other soft skills - the list put forward by James Keese in his comment - are, I would argue, far more important than subject-matter expertise in data protection/privacy law. That's not to say that there doesn't need to be a subject-matter expert on hand. There does. But in many cases, getting the law right isn't the hardest part of the job.

Ken Mortensen • Apr 10, 2017

I'd like to make one stylishly late comment to add to the discussion here.  I do disagree with Thomas on having an auditor being a good fit for a data protection role.  Now, likely that because I come from a CPO and CISO background, in which I was very operationally focused (my legal background did have value given my specific employers, but I would not say that you have to be a lawyer) and my experience with auditors, especially ones that are certified public accountants, is that they may know how to audit controls, but they are particularly ill-suited to integrate controls to permit a business to operationalize privacy and security.  So, an auditor may be fine if all you want in the role is someone to address auditing and monitoring, but not be responsible for strategy or operations (or even corrective action planning for that matter).  For that, strategy and operations, I have found that subject matter on the ground experience and expertise (the two are not the same) trumps any legal or auditing skills.  Knowing how to guide your business through data protection while still allowing innovation and growth will be the key factor to success, both for the DPO and for the business.

Thomas Shaw • Apr 12, 2017

I wanted to add a new development.  The Article 29 DP Working Party just released their revised April 2017 Guidelines on Data Protection Officers (DPOs) and there are several important revisions to note.  

For DPO professional qualities, it now states that “DPOs must have expertise in national and European data protection laws” while the December 2016 version said “should” have such expertise.   

For DPO confidentiality, the following was added “The DPO is bound by secrecy or confidentiality concerning the performance of his or her tasks, in accordance with Union or Member State law (Article 38(5)).” 

For the DPO’s role vis a vis the DPA, the following was added “However, the obligation of secrecy/confidentiality does not prohibit the DPO from contacting and seeking advice from the supervisory authority. Article 39(1)(e) provides that the DPO can consult the supervisory authority on any other matter, where appropriate.”

For DPO reporting lines, the following was added “Article 38(3) provides that the DPO ‘shall directly report to the highest management level of the controller or the processor’. Such direct reporting ensures that senior management (e.g. board of directors) is aware of the DPO’s advice and recommendations as part of the DPO’s mission to inform and advise the controller or the processor. Another example of direct reporting is the drafting of an annual report of the DPO’s activities provided to the highest management level.”

For DPO conflicts of interests, the following was added “In addition, a conflict of interests may also arise for example if an external DPO is asked to represent the controller or processor before the Courts in cases involving data protection issues.”

For the scope of the DPO role, the following was added “The DPO, whether mandatory or voluntary, is designated for all the processing operations carried out by the controller or the processor.”

For DPOs use of accountability tools, it made clear that while DPOs facilitate and carry out audits, they would only facilitate but not carry out data protection impact assessments (DPIAs).

Roger Edwards • May 16, 2017

Thanks for the update Thomas.  Most interesting is the conflict guidance which if read in conjunction with the recent enforcement action in Germany (where failure to remove an appointed DPO reporting up the IT chain) effectively eliminates existing internal and external counsel as candidates to fill the DPO role in many jurisdictions.  Providing legal advice on compliance with the GDPR is effectively representing a client before a "tribunal"  even if not technically appearing in court.  To determine if a conflict exists, one need only determine the difference in obligations, if for example a CEO makes a business decision not to notify of a data breach in a timely manner, between the lawyer (advise against it but take no action hostile to your client's welfare) and the DPO (advise against it, determine if the regulator should be notified, preserve evidence of the violation in the DPO's record).  Unlike many conflicts, this one cannot be waived as the existence of the DPO's conflict IS the violation - an agreement to waive it is an agreement with the Data Controller  to violate the statute.  Therefore, it seems likely that despite, the absence of the title of General Counsel in the listing of conflicting positions, a professional ethics review  will likely mandate that internal and external Legal counsel to the Data Controller recuse themselves from this role.  Even acting as "special counsel" would create a conflict as the duties of lawyers to clients are stated in existing statutory frameworks (bar professional codes) and any effort modify the obligations will validate the conflict and trigger the statute.  The only permissible solution is that the DPO contract explicitly state that a consulting, rather than an attorney-client relationship, exists and that the DPO is not providing legal advice to the Data Controller - this effectively eliminates the statutory duties owed to a lawyer's client.  Would appreciate hearing contrasting views.

Jakub Berthoty • Jan 23, 2018

Great article. I would be interested to know your thoughts on the position of external DPO (let's say lawyer/attorney) in relation to the processing of personal data done by the DPO at the controller or processor (e.g. handling data subject requests). Is DPO a processor, controller (or part of controller) or a sui generis type of subject not fitting into any of these categories? There seems to be no guidance on this. Thank you.

David Draycott • Aug 3, 2018

Three things:
In the real world many SME organisations don't have budget to hire a lawyer.

A non lawyer, with the right skills, could do the grind and seek external legal advice when needed.

The appointment should be risk based and consider context, if you are a low risk SME doing low risk, low volume processing then hire an appropriate candidate, if you are Amazon hire a lawyer.

The rational for GDPR not being specific is you are accountable, make sure you treat the risk appropriately and can justify it.

Comment:
I would hate companies to run off having read this and think to meet the requirements of GDPR they must hire a lawyer, even if that's not what the article actually said.

Gregory Albertyn • Oct 24, 2018

Chillax Thomas Shaw, there will be plenty of work for lawyers in privacy without needing to exclude non-lawyers from being DPO's. :)

Luke Howliston • May 17, 2020

I think an effective DPO needs to be well versed in the law, but not necessarily a lawyer. The reflex for organisations to insist on a lawyer, and following the argument of Thomas, seem to be about preparing for failure. I feel that a more operationally savvy DPO will drive better preventative measures throughout an organisation than most lawyers ever could. Lawyers are not operational. They deal with the letter of the law, and more often than not lack a pragmatism required for the DPO role. 
His statement that any DPO who is not a practising lawyer could be  involved in the unauthorized practice of law is an insult to a multitude of highly qualified professionals.

The Privacy Advisor | Two pros weigh in: Should the DPO be a lawyer? Perhaps an auditor? Related reading: WP29 releases guidance on DPOs, data portability, one-stop shop

Two pros weigh in: Should the DPO be a lawyer? Perhaps an auditor?

Authors

Tags

15 Comments

Tags

Recent Comments

Authors

Tags

15 Comments

Related Stories

WP29 releases guidance on DPOs, data portability, one-stop shop

What skills should your DPO absolutely have?

It takes 21 hours to build a DPO, and much more

Related Stories

Tags

Recent Comments